Multi-party Stand-Alone and Setup-Free Verifiably Committed ...

Multi-party Stand-Alone and Setup-FreeVerifiably Committed Signatures

Huafei Zhu1, Willy Susilo2, and Yi Mu2

1 Cryptography Lab, Institute for Infocomm Research, A-star, [email protected]

2 School of Computer Science and Software Engineering,University of Wollongong, Australia

{wsusilo,ymu}@uow.edu.au

Abstract. In this paper, we first demonstrate a gap between the se-curity of verifiably committed signatures in the two-party setting andthe security of verifiably committed signatures in the multi-party set-ting. We then extend the state-of-the-art security model of verifiablycommitted signatures in the two-party setting to that of multi-partysetting. Since there exists trivial setup-driven solutions to multi-partyverifiably committed signatures (e.g., two-signature based solutions, wepropose solutions to the multi-party stand-alone verifiably committedsignatures in the setup-free model, and show that our implementation isprovably secure under the joint assumption that the underlying Zhu’s sig-nature scheme is secure against adaptive chosen-message attack, Fujisaki-Okamoto’s commitment scheme is statistically hiding and computation-ally binding and Paillier’s encryption is semantically secure and one-wayas well as the existence of collision-free one-way hash functions.

Keywords: multi-party, setup-free, stand-alone, verifiably committedsignatures.

1 Introduction

Optimistic fair-exchange protocols was first introduced by Asokan et al, in [1]and formally studied in [2], [3] and [14] in the context of verifiably encryptedsignatures. Very recently, Dodis and Reyzin[11] have formalized a unified modelfor fair-exchange protocols as a new cryptographic primitive called verifiablycommitted signatures in the two-party setting. Zhu and Bao[20] have shownthat the existence of verifiably encrypted signatures implies the existence ofthe verifiably committed signatures while the existence of verifiably committedsignatures does not imply the existence of verifiably encrypted signatures. As aresult, the notion of verifiably committed signatures is a general extension of thenotion of verifiably encrypted signatures.

A verifiably committed signature can be setup-driven or setup-free[19]. A ver-ifiably committed signature is called setup-driven if an initial key setup protocolbetween a primary signer and its trusted third party (TTP) must be involved

T. Okamoto and X. Wang (Eds.): PKC 2007, LNCS 4450, pp. 134–149, 2007.c© International Association for Cryptologic Research 2007

Multi-party Stand-Alone and Setup-Free Verifiably Committed Signatures 135

such that at the end of the key setup protocol, the primary signer and its TTPshare a prior auxiliary string. This shared auxiliary information enables TTPto convert any valid partial signature into the corresponding full signature ifa conflict occurs between the primary signer and its verifier. A verifiably com-mitted signature is called setup-free if an individual participant needs not tocontact his/her arbitrator(s) even for the registration purpose. Namely, no ini-tial key setup procedure between a primary signer and his/her TTP is involvedexcept for one requirement that the primary signer can obtain and verify TTP’scertificate and vice versa.

A verifiably committed signature can be stand-alone[19] or not[18]. A verifi-ably committed signature is called stand-alone if on input a valid partial signa-ture scheme, the distribution of outputs of a resolution algorithm is identical withthe distribution of signatures generated by a full signing algorithm. A verifiablycommitted signature is called non-stand-alone if it is not stand-alone.

The state-of-the-art verifiably committed signatures are only considered inthe two-party setting (a primary signer and a verifier, together with an off-linearbitrator). We are interested in studying stand-alone and setup-free verifiablycommitted signatures in the multi-party setting throughout the paper by demon-strating that the security of two-party setup-free verifiably committed signaturesdoes not guarantee the security of multi-party setup-free verifiably committedsignatures.

We stress that the existence of multi-party verifiably committed signatures inthe setup-driven model is obvious assuming that the underlying signatures aresecure in the sense of [13]. That is, suppose a primary signer’s public and secretkey pair (pk1, sk1) is the public key and secret key pair for the first signaturescheme, and at the same time the prime signer and its TTP share another pub-lic/secret key (pk2, sk2) of the second signature scheme. By pk= (pk1, pk2) wedenote the public key of the entire signature scheme, and by sk=(sk1, sk2), wedenote the corresponding secret keys. Now given a message m, the primary signerproduces its partial signature σ1 on the message m. A full signature of the mes-sage m is defined as σ =(σ1, σ2), where σ2 is the signature of m correspondingthe public/secret key pair (pk2, sk2). It is easy to verify that this two-signaturebased solution is a multi-party verifiably committed signature scheme since thesecurity of public key signatures in the two-party setting is preserved in themulti-party setting[6]. This leaves an interesting research problem: how to im-plement multi-party stand-alone and setup-free verifiably committed signaturesin the standard complexity model?

The contribution of this paper is of three-fold. In the first fold, we demonstratethat there is a gap between the security of two-party verifiably committed signa-tures and multi-party verifiably committed signatures. In the second fold, we ex-tend the state-of-the-art security definition of verifiably committed signatures inthe two-party setting to that of the multi-party case. In the third fold, we proposean efficient implementation of multi-party stand-alone and setup-free verifiablycommitted signatures. We are able to show that our implementation is provablysecure under the joint assumption that the underlying Zhu’s signature scheme is

136 H. Zhu, W. Susilo, and Y. Mu

secure against adaptive chosen-message attack, Fujisaki-Okamoto’s commitmentscheme is statistically hiding and computationally binding and Paillier’s encryp-tion is semantically secure and one-way as well as the existence of collision-freeone-way hash functions. To the best of our knowledge, this is the first imple-mentation of stand-alone and setup-free verifiably committed signature schemewhich is provably secure in the multi-party setting.

The rest of this paper is organized as follows: in Section 2, a gap betweenthe security of two-party verifiably committed signatures and multi-party veri-fiably committed signatures is demonstrated. In Section 3, syntax and securitydefinitions of stand-alone and setup-free verifiably committed signatures in themulti-party setting are introduced and formalized. In Section 4, building blockson which our implementation is based are briefly sketched. An efficient implemen-tation of multi-party stand-alone and setup-free verifiably committed signaturesis proposed in Section 5, and we conclude our work in Section 6.

2 A Gap Between Two-Party and Multi-party VerifiablyCommitted Signatures

A stand-alone and setup-free verifiably committed signature in the two-partysetting based on Cramer and Shoup’s signature scheme has been presented in[19]. We are about to demonstrate that although this scheme is provably securein the two-party setting, it is not secure in the multi-party setting. To show thisgap, we first sketch their scheme below:

– primary signer’s key generation algorithm KGA: on input kA, a primarysigner Alice runs KGA to generate two large safe primes pA and qA such thatpA −1 = 2p′A and qA −1 = 2q′A, where p′A, q′A are two l′-bit primes. KGA alsochooses two random elements xA and hB from QRnA , where nA = pAqA andQRnA is the quadratic residue of Z∗

nA. Finally, KGA outputs a description of

a group G of order s, and two random elements g1 and g2 of G with orders. We stress that in the Cramer and Shoup’s signature scheme the choice ofgroup G is independent with nA (see [8] for more details).

The public key of Alice is (nA, hA, xA, g1, g2, H), along with an appro-priate description of G including s, where H is a collision-free cryptographichash function with output length l-bit (say, l=160). The private key is(pA, qA). The primary signer Alice now proves to her CA that all valuesare correctly generated and then obtains her certificate CertA from her CA;

– arbitrator’s key generation algorithm KG: on input k′, an arbitrator runs KGto generate a k′-bit RSA modulus N = pcqc, where pc, qc are two large safeprimes.

The public key of the arbitrator is APK=((1 + N), N). The private keyis ASK=(pc, qc). The arbitrator should prove to his CA that the public andsecret key pair is correctly generated and then obtains his certificate CertB

from his CA;


– full signing algorithm Sig: To sign a message m, Alice runs Sig to chooseat random a (l + 1)-bit prime number e, a string t ∈ Zs. The equation

ye = xAhAH(gt

1gH(m)2 ) modnA is solved for y. The corresponding signature σ

of the message m is (e, t, y).– full verification algorithm Vf: given a putative triple (e, t, y), a verifier Bob

runs Vf to check whether e is an odd (l + 1)-bit number. If so, Bob further

checks the validation of the equation xA = yehA−H(gt

1gH(m)2 )modnA. If the

equation is valid, then Bob accepts, otherwise, he rejects.– partial signing algorithm PSig: on input a message m, Alice runs PSig to

choose a (l + 1)-bit prime e and a string t ∈ Zs. The equation ye =

xAhAH(gt

1gH(m)2 ) modnA is solved for y.

Alice then computes u=gt1 and c= (1 + N)trN modN2 together with a

proof pr that she knows that u contains the same number as the encryptionand t ∈ I using Boudot’s protocol [4]. The partial signature σ′ of messagem is defined by (e, y, u, c, pr).

– partial verification algorithm PVf:given a putative signature σ′=(e, y, u, c, pr),Bob runs PVf to check whether e is an odd (l + 1)-bit number. Second PVf

checks the validity of the equation xA = yehA−H(ug

H(m)2 ) modnA. If the

equation is valid, then PVf further checks the validity of proof pr that ucontains the same number as the encryption, and then uses Boudot’s protocolto verify that the encrypted value t ∈ I. If it is valid then the verifier accepts,otherwise, it rejects.

– resolution algorithm Res: given σ′=(e, y, u, c, pr) and a proof that Bob ful-filled his obligation to the primary signer. The arbitrator first checks validityof the request message. If so, the arbitrator then runs Res to output a validfull signature of (e, y, t) using his decryption key, otherwise, Res rejects therequest.

Suppose now an adversary Eve generates two large safe primes pE and qE

such that pE = 2p′E + 1 and qE = 2q′E + 1, where p′E , q′E are two l′-bit primes.Eve also chooses two random elements xE , hE ∈ QRnE , where nE = pEqE andQRnE is the quadratic residue of Z∗

nE. Eve’s now reuses Alice’s partial public

key (G, s, g1, g2). We stress that the reuse of Alice’s partial public key is not aproblem since the public data (G, s, g1, g2, H) can be chosen independently withthe private key (nA, pA, qA). We now can show how the malicious verifier Boband Eve attack Alice below:

– Alice gives her partial signature (e, y, u, c, prA) to Bob, where prA is Alice’sproof that u contains the same number as that of c and the encrypted valuet ∈ I;

– Bob gives his partial signature (e′, y′, u, c, prB) to the malicious Eve, whereprB ← prA. We stress that although the malicious Bob does not know theexactly hiding value t ∈ I, he can provide a valid proof prB by copying Alice’sprA.

– Eve asks TTP to open Bob’s signature by forwarding partial signature(e′, y′, u, c, prB) and a proof that Eve fulfilled her obligation to Bob;


– TTP opens t such that u = gt and c =E(t, r) if and only if (e′, y′, u, c, prB)and a proof that Eve fulfilled her obligation to Bob are valid; Finally, TTPsends t back to Eve;

– Eve gives t to Bob, who now has the full signature of Alice.

The counterexample shows that the security of verifiably committed signa-tures in the single setting does not imply the security of verifiably committedsignatures in the multi-party setting. We stress that in the above counterexam-ple, the common reference string (the description of G is shared between Aliceand Eve) is reused. This is possible since the description of G is independentwith APK.

3 Multi-party Stand-Alone and Setup-Free VerifiablyCommitted Signatures: Syntax and Security Definitions

3.1 Syntax

We now extend (stand-alone and setup-free) two-party verifiably committed sig-natures [11], [19] and [20] to the multi-party verifiably committed signaturessetting.

Definition 1. A multi-party stand-alone and setup-free verifiably committedsignature scheme consists of the following algorithms:

– arbitrator key generation algorithm KG: on input a security parameter k, itreturns a public key and secret key pair (pk, sk);

– individual key generation algorithms IKG: on input a security parameter ki,it returns a public key and secret key pair (pki, ski).

– full signing and verification algorithms(Sig, Vf): these are conventional sign-ing and verification algorithms. on input a message mj, pki and ski, Sig out-puts a full signature σi,j on mj; on input a putative signature (mj , σi,j , pki),Vf will output 1 (accept) or 0 (reject);

– partial signing and verification algorithms(PSig, PVf): these are partial sign-ing and verification algorithms, which are similar to ordinary signing andverification algorithms, except they can depend on the public arbitration keypk. That is, on input a message (mj, ski, pki, pk), PSig outputs a partialsignature σ′

i,j; on input a putative partial signature (mj, σ′i,j, pki, pk), PVf

outputs 1 (accept) or 0 (reject);– resolution algorithm Res: this is a resolution algorithm run by the arbitrator

in case the primary signer pki refuses to open her signature σi,j to the ver-ifier, who in turn possesses a valid partial signature σ′

i,j on mj and a proofthat he fulfilled his obligation to the primary signer1. In this case, Res(mj,σ′

i,j , pki, sk, pk) should output a valid full signature σi,j of mj.

1 The definition does not deal with any specific question of how a verifier proves tothe arbitrator that he/she fulfilled his/her obligation to the primary signer.


Correctness. The correctness property of a multi-party verifiably committedsignatures states that:

– Vf(mj ,Sig(mj, ski, pki)=1 (∀ j, ∀ i);– PVf(mj , PSig(mj , ski, pki, pk), pki, pk)=1 (∀ j, ∀ i);– Vf(mj , Res(PSig(mj , ski, pki, pk), sk, pk, pki), pki)=1 (∀ j, ∀ i).

3.2 The Definitions of Security

We extend the security definition of Dodis and Reyzin[11] in the two partysetting to the multi-party setting. The security definition of multi-party stand-alone and setup-free verifiably committed signatures consists of the followingthree aspects: security against any primary signer, security against any verifierand security against any arbitrator/TTP.

Security against malicious primary signer: Intuitively, an individual pri-mary signer should not provide a partial signature which is valid both from theviewpoints of a verifier and an arbitrator but which will not be opened into theprimary signer’s full signature by the honest arbitrator. More precisely, By ki, wedenote the system security parameter of individual user i; By OPSig(pki,ski,···),we denote an oracle of the partial signing procedure PSig(pki, ski, · · ·) and byORes(pki,pk,sk,···) an oracle of the resolution procedure Res(pki, pk, sk, · · ·). Werequire that any probabilistic polynomial time Adv succeeds with at most negli-gible probability in the following game.

– arbitrator key generation algorithm KG: on input a security parameter k, itoutputs (sk, pk);

– individual key generation algorithm IKG: on input a security parameter ki,it outputs (sk∗

i , pki), where IKG∗(ki) denotes the run of key generator IKGwith the corrupted primary signer pki by the adversary, and sk∗

i denotes theadversary’s states.

The honest primary signer j (j �= i) runs IKG on input kj and obtains apublic and secret key pair (pkj , skj). The adversary obtains (pkj , skj) andpki but not sk∗

i (1 ≤ i, j ≤ t(k′) and j �= i).– resolution oracle query ORes(pki,pk,sk,···): for each adaptively chosen message

mj , the adversary computes its partial signature σ′i,j for mj and forwards

σ′i,j

to the oracle ORes(pki,pk,sk,σ′i,j

) to obtain full signature σi,j of messagemj , where 1 ≤ j ≤ t(ki), and t(·) is a polynomial.

– at the end of ORes(pki,pk,sk,···) oracle query, the adversary produces a messageand its full signature pair (m∗, σi,∗), i.e.,

(m∗, σ′i,∗) ← AdvO

Res(pki,pk,sk,···)(sk∗

i , pki, pk); m∗ �= mj , 1 ≤ j ≤ t(k′);

σi,∗ ← Adv(m∗, σ′i,∗, sk

∗, pk, pki)

– success of succ=[PVf(m∗, σ′i,∗, pk, pki) = 1 ∧ Vf(m∗, σi,∗, pki) = 0].


Definition 2. A multi-party verifiably committed signature is secure againstmalicious primary signer pki, if any probabilistic polynomial time adversaryAdv associated with resolution oracle, succeeds with at most negligible proba-bility, where the probability takes over coin tosses in IKG∗(ki, ·), PSig(pki, ·) andORes(pki,pk,sk,···).

Security against malicious verifier: Suppose a primary signer pki and averifier v are trying to exchange signature in a fair way. The primary signerpki wants to commit to the transaction by providing his/her partial signature.Of course, it should be computationally infeasible for the verifier v to computethe corresponding full signature from any partial signature2. More formally, werequire that any probabilistic polynomial time adversary Adv succeeds with atmost negligible probability in the following game:

– arbitrator key generation algorithm KG: on input a security parameter k, itoutputs (sk, pk);

– individual key generation IKG: on input a security parameter kj , it outputs(skj , pkj), where IKG(kj) denotes the run of key generator IKG with the cor-rupted primary signer pkj by the adversary, and skj denotes the adversary’sstates. The honest primary signer i (i �= j) runs IKG(ki), obtains a publicand secret key pair (pki, ski). The adversary obtains (pkj , skj) and pki butnot ski (1 ≤ i, j ≤ t(k′) and j �= i).

– OPSig(pki,ski,pk,·) and ORes(pki,sk,pk,···) oracle queries: for each adaptivelychosen message mj , the adversary obtains a partial signature σ′

i,j of mes-

sage mj by querying the partial signing oracle OPSig(i,mj). The adversaryforwards σ′

i,j to the resolution oracle ORes(pki,sk,pk,σ′i,j ) to obtain the full

signature σi,j of message mj , where 1 ≤ j ≤ t(ki), and t(·) is a polynomial.– at the end of oracle queries to OPSig(pki,ski,pk,···) and ORes(pki,sk,pk,···),

the adversary outputs a message-partial signature pair (m∗, σ′i,∗). On in-

put (m∗, σ′i,∗), the adversary further outputs a message-full signature pair

(m∗, σi,∗) ← AdvOPSig(pki,ski,pk,σ′

i,∗ ),ORes(pki,sk,pk,σ′

i,∗ )

.– success of adversary succ: = [Vf(m∗, σi,∗, pki) = 1 ∧ m∗ /∈ Query (Adv,

ORes(pki,sk,pk,···))], where Query( Adv, ORes(pki,sk,pk,···)) is the set of validqueries the adversary Adv asked to the resolution oracle ORes(pki,sk,pk,···),i.e., (m∗, σ′

i,∗) such that Vf(m∗, σ′i,∗) = 1.

Definition 3. A multi-party verifiably committed signature is secure againsta malicious verifier, if any probabilistic polynomial time adversary Adv whichis associated with a partial signing oracle OPSig(pki,ski,pk,···) and a resolutionoracle ORes(pki,sk,pk,···), succeeds with at most negligible probability, where theprobability takes over coin tosses in (pki, ski)← IKG(ki) and (pk, sk)← KG(k),OPSig(pki,ski,pk,···) and ORes(pki,sk,pk,···).2 The security preventing a malicious third party from forging valid partial signatures

is stated as security against any malicious arbitrator below as a malicious arbitratoris the most powerful adversary in the security model.


Security against semi-trusted arbitrator: Even though the arbitrator issemi-trusted, a primary signer does not want this arbitrator to produce a validsignature which the primary signer do not intend on producing. To achieve thisgoal, we require that any probabilistic polynomial time adversary Adv associatedwith partial signing oracle OPSig(pki,ski,pk,···), succeeds with at most negligibleprobability in the following game:

– key generation algorithm KG∗: on input security parameter k, KG∗(k) out-puts (sk∗, pk), where KG∗(k) is run by the dishonest arbitrator.

– individual key algorithm IKG: on input a security parameter kj , it outputs(skj , pkj), where IKG(kj) denotes the run of key generator IKG with the cor-rupted primary signer pkj by the adversary, and skj denotes the adversary’sstates. The honest primary signer i (i �= j) runs IKG(ki), obtains a publicand secret key pair (pki, ski). The adversary obtains (pkj , skj) and pki butnot ski (1 ≤ i, j ≤ t(k′) and j �= i).

– OPSig(pki,ski,pk,···) oracle query: for each adaptively chosen message mj ,the adversary obtains the partial signature σ′

i,j for mj from the oracle

OPSig(pki,ski,pk,mj), where 1 ≤ j ≤ t(k′).– at the end of the partial partial signing oracle query, the adversary produces

a message-full signature pair (m∗, σi,∗), i.e.,

(m∗, σi,∗) ← AdvOPSig(pki,ski,pk,m∗)

(sk∗, pk, pki).

– success of adversary is defined as follows:

succ = [Vf(m, σ, pki) = 1 ∧ m∗ /∈ Query(Adv, OPSig(pki,ski,pk,···))]

where Query( Adv, OPSig(pki,ski,pk,···) is the set of valid queries Adv askedto the partial oracle such that PVf(mj , σ

′i,j) = 1.

Definition 4. A multi-party verifiably committed signature is secure againstmalicious arbitrator, if any probabilistic polynomial time adversary Adv asso-ciated with partial signing oracle P , succeeds with at most negligible proba-bility, where the probability takes over coin tosses in (pki, ski)← IKG(ki) and(pk, sk∗)← KG∗(k), OPSig(pki,ski,pk,···).

Definition 5. A multi-party verifiably committed signature is secure if it is se-cure against any malicious primary signer, malicious verifier and malicious ar-bitrator.

4 Building Blocks

Before we propose our implementation, we would like to sketch the followingbuilding blocks on which our protocol is based.


4.1 Paillier’s Cryptographic System

Paillier investigated a novel computational problem, called Composite Residuos-ity Class Problem, and its applications to public key cryptography in [15]. Ourconstruction of multi-party verifiably committed signatures will heavily rely onthis probabilistic encryption scheme sketched below.

– the public key is a κ-bit RSA modulus N = PQ, where P , Q are two largesafe primes, where |P |=|Q| =2κ. the private key is (P, Q);

– the plain-text space is ZN and the cipher-text space is Z∗N2 ;

– to encrypt α ∈ ZN , one chooses Ra ∈ Z∗N uniformly at random and computes

the cipher-text as EPK(a, Ra) = (1 + N)aRNa mod N2.

– given c =(1 + N)aRNa mod N2, and trapdoor information (P, Q), one can

first computes c1 (=c mod N), and then compute Ra from the equation Ra

= cN−1modφ(N)1 modN ; Finally, one can compute a from the equation cR−N

a

modN2 =1 + aN .– the encryption function is homomorphic, i.e., EPK(a1, R1) × EPK(a2, R2)

mod N2 = EPK(a1 + a2 mod N , R1 × R2 mod N).

4.2 Fujisaki-Okamoto Commitment Scheme

Let τ be a security parameter. The public key is a τ -bit RSA modulus n=pq,where p, q are two large safe primes. We assume that neither a committer nor areceiver knows factorization n. Let g1 be a generator of QRn and g2 be an elementof large order of the group generated by g1 such that both discrete logarithm ofg1 in base g2 and the discrete logarithm of g2 in base g1 are unknown by thecommitter or the receiver. We denote C(a, ra) = ga

1gra2 modn a commitment to a

in bases (g1, g2), where ra is randomly selected over {0, 2sn}, where s is a securityparameter. This commitment scheme first appeared in [12] and reconsidered byDamg̊ard and Fujisaki [10] is statistically hiding and computationally binding,i.e.,

– a committer is unable to commit itself to two values a1, a2 such that a1 �= a2in Z by the same commitment unless the committed can factor n or solvesthe discrete logarithm of g1 in base g2 or the the discrete logarithm of g2 inbase g1;

– C(a, ra) statistically reveals no information to the receiver, i.e., there is asimulator which outputs simulated commitments to a which are statisticallyindistinguishable from true ones.

– this commitment is homomorphic, i.e., C(a+b, ra+rb) = C(a, ra) × C(b, rb).

4.3 Boudot’s Protocol

With the help of Fujisaki-Okamoto commitment scheme, an efficient protocolallows Alice to prove to Bob that a committed number x ∈ [a, b] belongs to thedesired interval [a, b] (0 < a ∈ Z and a < b ∈ Z), has been proposed by Boudot[4]. The idea behind Boudot’s protocol is that to achieve a proof of membership


without tolerance, the size of x is first enlarged, and then Alice proves to Bob thatthe value 2T x lies in interval < 2T a−2T , 2T b+2T > with tolerance (a proof withtolerance is easier than a proof without tolerance, we refer the reader to [4] forfurther reference), and thus x ∈ [a, b]. Boudot’s protocol is zero-knowledge proofof knowledge and it is sound assuming that the underlying Fujisaki-Okamotocommitment scheme is statistically hiding and computationally binding.

4.4 Proof Equality of a Committed Number and an Encryption inDifferent Moduli

An efficient implementation for proving the equality of a committed number andan encryption has been proposed by Damg̊ard and Jurik[9]:

– let λ be maximum bit length of x. Let C be a commitment C(x, rx) =gx1grx

2modn computed from Fujisaki-Okamoto commitment scheme and E be acipher-text E(x, Rx)= (1 + N)xRx

N modN2 computed from Paillier’s en-cryption scheme, a prover should provide a proof that C and E hide thesame value x.

– the prover chooses at random ω ∈ {0, 1}λ+2l, where l is a security para-meter. The prover sends C′=gω

1 grω2 and E′= E(ω, Rω) to the verifier. Here

we assume that the security parameter κ of Paillier’s system is larger than(λ + 2l)

– the verifier chooses a l-bit challenge f ;– the prover opens the encryptions C′Cf modn and E′Ef modN2, to reveal

in both cases the number z = ω + xf defined over the integer domain. Theverifier checks the opening were correct.

The protocol can be made non-interactive in the standard way using a hash func-tion RO and the Fiat-Shamir technique. It is also statistically zero-knowledgein the random oracle mode.

4.5 Proof Equality of a Committed Number and a DiscreteLogarithm in Different Moduli

Let l, t and s be three security parameters. Assume that a prover Alice holds asecret value x ∈ {0, T }. We denote by E1 =gx

1gr2 modn1, be a commitment com-

puted from Fujisaki-Okamoto commitment scheme and E2 =gx modn2 be a dis-crete logarithm of QRn2 modulo n2, where n2 =p2q2, p2 = 2p′2 + 1, q2 = 2q′2 + 1and QRn2 =< g >. A prover Alice wants to prove to a verifier Bob that she knowsx and r ∈ {−2sn1 + 1, 2sn1 − 1} such that E1 =gx

1gr2 modn1 and E2 =gx modn2.

– Alice picks random strings ω ∈ {1, · · · , 2l+tT − 1} and ρ ∈ {1, · · · , 2l+t+sn −1}. Alice then computes π1 =gω

1 gρ2 modn1 and π2 =gω modn2; Finally, Alice

sends (π1, π2) to Bob;– Bob sends f ∈ {0, 1}2t to Alice;– Alice computes τ1 =ω + fx and τ2 =ρ + fr (over the integer domain Z);– Bob checks whether gτ1

1 gτ22 =π1E

f1 modn1 and gτ1 =π2 Ef

2 modn2.


This protocol originally appeared in [5] and independently in [7] is a zero-knowledge proof of equality of a committed number and a discrete logarithmin different moduli. Again, the protocol can be made non-interactive in the stan-dard way using a hash function RO and the Fiat-Shamir technique. It is alsostatistically zero-knowledge in the random oracle mode.

4.6 Zhu’s Signature Scheme

Our multi-party verifiably committed signatures is built on the top of Zhu’ssignature (see [16], [17] and [18] for more details).

– Key generation algorithm: Let p, q be two large safe primes (i.e., p − 1 =2p′ and q − 1 = 2q′, where p′, q′ are two primes with length (l′ + 1)). Letn = pq and QRn be the quadratic residue of Z∗

n. Let X, g, h ∈ QRn be threegenerators chosen uniformly at random. The public key is (n, g, h, X, H),where H is a collision free hash function with output length l. The privatekey is (p, q).

– Signature algorithm: To sign a message m, a (l + 1)-bit prime e and a stringt ∈ {0, 1}l are chosen at random. The equation ye = XgthH(m)modn issolved for y. The corresponding signature of the message m is (e, t, y).

– Verification algorithm: Given a putative triple (e, t, y), the verifier checksthat e is an (l + 1)-bit odd number. Then it checks the validity of X =yeg−th−H(m)modn. If the equation is valid, then the signature is valid. Oth-erwise, it is rejected.

Zhu’s signature scheme is provably secure against adaptive chosen-message at-tack under joint assumptions that the strong RSA problem is hard and the dis-crete logarithm defined over QRn is hard as well as the underlying hash functionH is collision free.

5 Stand-Alone, Setup-Free Verifiably CommittedSignatures in Multi-party Setting

5.1 Implementation

With the help of these building blocks listed above, we can now describe ourimplementation of multi-party stand-alone, setup-free verifiably committed sig-natures below.

– arbitrary key generation algorithms (KGE , KGC): on input a security para-meter κ, an arbitrary runs KGE (it is a key generator of Paillier’s encryptionalgorithm) to generate κ-bit RSA modulus N = PQ, where P , Q are two largesafe primes. The plain-text space is ZN and the cipher-text space is Z∗

N2 .On input τ , the arbitrator runs KGC (it is a key generator of Okamot-

Fujisaki’s commitment scheme) to generate τ -bit RSA modulus Nc=PcQc,where Pc and Qc are two large prime numbers. KGC also outputs two randomelements g, h ∈ QRNc .


The public key pk = (pkE , pkC), where pkE = (1 + N, N) and pkC =(Nc, g, h). The secret keys sk = (skE , skC), where skE = (P, Q) and skC =(Pc, Qc).

– individual key generation algorithm IKG: on input a security parameter(ki, li, l

′i), the ith user runs IKG (it is a key generation algorithm of Zhu’s sig-

nature scheme) to generate two large primes pi and qi such that pi −1 = 2p′iand qi − 1 = 2q′i, where p′i, q

′i are two (l′i + 1)-bit strings.

Let ni = piqi and QRni be the quadratic residue of Z∗ni

. Let gi, hi be twogenerators of QRni chosen uniformly at random. The public key is the ith

user is (ni, gi, hi, xi, Hi), where xi ∈ QRni and Hi is a collision free hashfunction with output length li. The private key is (pi, qi).

– full signature algorithm Sig: to sign a message mj , a (li + 1)-bit primeei,j and a li bit string ti,j are chosen at random. The equation yi,j

ei,j

=xigiti,j hi

Hi(mj) modni is solved for yj . The corresponding signature σi,j ofthe message mj is (ei,j , ti,j , yi,j).

– verification algorithm Vf: given a putative triple (ei,j , ti,j , yi,j), Vf first checksthat ei,j is an odd (li + 1)-bit number. Second it checks the validation thatxi = yi,j

ei,j g−ti,j

i hi−Hi(mj) modni. If the equation is valid, then Vf accepts,

otherwise, it rejects.– partial signing algorithm PSig: on input a message mj, (li + 1)-bit prime ei,j

and a li string ti,j are chosen at random. The equation yi,jei,j =xigi

ti,j hiHi(mj)

modni is solved for yj . Then the ith user (say Alice) further performs the fol-lowing computations:

• ui,j ← gti,j

i ;• Ei,j ← E(pkE , ti,j), where E(pkE , ti,j) = (1 + N)ti,j RN

i,j modN2;• Ci,j ← C(pkc, ti,j), where C(pkC , ti,j) = gti,j hri,j modNc;• a proof pri,j that she knows that ui,j contains the same number as that

hidden by E(pkE , ti,j) as well as ti,j is a li-bit string. More precisely, theproof pri,j consists of the following three statements:

∗ the prover runs the protocol specified in Section 4.4 and proves tothe verifier Bob the equality of the committed number by Ci,j andthe encrypted number by Ei,j ;

∗ the prover runs the protocol specified in Section 4.5 and proves tothe verifier Bob the equality of the committed number by Ci,j andthe discrete logarithm by ui,j on base gi;

∗ the prover runs the protocol specified in Section 4.3 and proves to theverifier Bob that the committed number by Ci,j lies in the interval{0, 2li − 1} .

The partial signature is denoted by σ′i,j =(ei,j, yi,j , ui,j , ci,j , pri,j).

– The corresponding partial signature verification algorithm PVf: given a pu-tative signature σ′

i,j =((ei,j , yi,j , ui,j, ci,j , pri,j)), the verifier Bob performsthe following checks:

• checking ei,j is an odd (li + 1)-bit number.• checking the validity of the equation xi = yi,j

ei,j g−ti,j

i hi−Hi(mj) modni.

• checking the validity of proof pri,j ;• if all checks are valid then the verifier accepts, otherwise, it rejects.


– resolution algorithm Res: given σ′i,j = ((ei,j , yi,j , ui,j , ci,j pri,j)), and a proof

that Bob fulfilled his obligation to the primary signer pki. If the verificationis passed, then the arbitrator outputs a valid full signature (ei,j , yi,j , ti,j)using his decryption key skE , otherwise, it rejects.

This ends the description of our protocol. We stress that the technique presentedin this section can be easily extended to the case where the underlying signaturescheme is Cramer-Shoup’s hash signature such that individual group Gi is chosenindependently.

5.2 The Proof of Security

The proof of security follows that presented in [19]. We also stress that the tech-nique presented in this section can be applied to the case where the underlyingsignature scheme is Cramer-Shoup’s hash signature with the restriction thatindividual group Gi is chosen independently and is never reused.

Lemma 1. The verifiably committed signature is secure against malicious pri-mary signer in the multi-party setting.

Proof. Suppose the ith user Alice is able to provide a valid partial signatureσ′

i,j = (ei,j , yi,j , ui,j, Ei,j , Ci,j , pri,j) corresponding to a message mj , where thevalid proof pri,j means that she knows that ui,j contains the same number asthe encryption Ei,j and the encrypted value ti,j ∈ I, I = {0, 2li − 1}. Since σ′

i,j

is valid from the viewpoints of its verifier and TTP, by rewinding Alice, bothverifier and cosigner can extract ti,j ∈ I such that

ui,j = gti,j

1 , Ei,j = E(pkE , ti,j), yei,j

i,j = xigti,j

i hHi(mj)i , ti,j ∈ I.

It follows that the designated TTP can always transform any valid partialsignature scheme into the correspondenting valid signature σi,j=(ei,j , yi,j , ti,j).

Lemma 2. Our construction is secure against malicious verifier under the jointassumptions that Fujisaki-Okamoto’s commitment scheme is statistically hidingand computationally binding and Paillier’s encryption scheme is semanticallysecure and one-way.

Proof. We convert any attacker B that attacks our verifiably committed signa-ture scheme into an inverter B′ of the underlying encryption scheme. That is,given a random cipher-text Ei,j , B′ will obtain the corresponding plain-text mj

with non-negligible probability with the help of the attacker B. This can be doneas follows:

– B′ runs IKG to generate the ith primary signer’s public/secret key (pki, ski)as that in the real verifiably committed signature scheme and obtains thepublic and secret key pair (pki, ski).

– B′ then runs KG to generate the arbitrator’s public/secret key (pk, sk) asthat in the real verifiably committed signature scheme and obtains pk butnot sk from the arbitrator.


Given the target cipher-text Ei,j , we first describe a simulator of the partialsignature oracle OPSig(pki,ski,pk,···) as follows:

Let qPSig be the total number of queries made by B, and let ι be a randomnumber chosen from {1, qPSig} by B′.

– If i ∈ {1, qPSig} and i �= ι, then B′ runs the partial signing oracle as the realpartial signature scheme;

– If i ∈ {1, qPSig} and i = ι, for the given target cipher-text Ei,j , B′ choosesa random string fi,j, zi,j and ui,j in the correct interval specified in thereal protocol and then B′ computes E′

i,j from the equation E(pkE , z) = E′i,j

Efi,j

i,j . At the same time, it computes u′i,j from the equation g

zi,j

i = u′i,j u

fi,j

i,j .

– Given ui,j, B′ computes (ei,j , yi,j) from the equation yei,j

i,j = xiui,jhHi(mj)i ,

this is possible since B′ knows the secret key ski (notice that B′ assigns fi,j

to be the hash value of the random oracle RO if the specified protocol inSection 4.5 is non-interactive).

Similarly, for the given ui,j , there exists a simulator that can simulateviews for the following proofs:

• a proof of equality of the committed number Ci,j and the discrete loga-rithm loggi

(ui,j), where Ci,j is a forgery commitment;• a proof of equality of the committed number by Ci,j and the encrypted

number by Ei,j ;• a proof that the committed number by Ci,j lies in the correct interval.

Such a simulator can be defined by the concatenation of individual sim-ulators for the above zero-knowledge proof systems since Boudot’s proto-col, Damg̊ard and Jurik’s protocol, as well as Boudot, and Camenisch andMichels’ protocols are zero-knowledge proof systems (see Section 4.3, Sec-tion 4.4 and Section 4.5 for more details). As a result, the existence of sucha simulator following the definition of the zero-knowledge proof system im-mediately.

B′ simulates ORes(pki,sk,pk,···) oracle queries as follows:

– If (mj , σ′i,j) that is in the partial signature query list and if j �= ι, then

ORes(pki,sk,pk,···) outputs ti;– If (mj , σ

′i,j) that is in the partial signature query list and if j = ι, then

ORes(pki,sk,pk,···) outputs ⊥;– If (mj , σ

′i,j) that is not in the partial signaturequery list, thenORes(pki,sk,pk,···)

outputs ⊥.

Notice that the probability that the simulator outputs ⊥ is 1 − 1/qPSig for

the queries whose partial signatures are listed in the OPSig(pki,ski,pk,···) oraclequery. Thus when the adversary outputs a valid full signature (m∗, σ∗) whosepartial signature is in the list of OPSig(pki,ski,pk,···) oracle query, the probabilitythat B′ can invert the target cipher-text Ei,j with probability at least ε/qPSig,


where ε stands for the probability that B can break our verifiably committedsignature scheme.

Lemma 3. Our construction is secure against malicious arbitrator under thejoint assumptions that the underlying Zhu’s signature scheme is secure againstadaptive chosen-message attack, Fujisaki-Okamoto’s commitment scheme is sta-tistically hiding and computationally binding and Paillier’s encryption schemeis semantically secure.

Proof. Suppose an arbitrator is able to forgery partial signature σ′i,j with non-

negligible probability, then by rewinding the arbitrator, we can extract ti,j fromthe valid proof pri,j . It follows that the arbitrator is able to output a validforgery signature from Zhu’s signature scheme with non-negligible probability.Since the underlying Zhu’s signature scheme signature has proved to be secureagainst adaptive chosen-message attack under joint assumptions of the strongRSA problem as well as the existence of collision free hash function. It followsthat our construction is secure against semi-trusted arbitrator under joint as-sumptions that the hardness of the strong-RSA problem and the existence ofcollision free hash functions.

In summary, we have proved the main result below:

Theorem 1. The stand-alone, setup-free verifiably committed signature schemeconstructed above is provably secure under the joint assumption that the under-lying Zhu’s signature scheme is secure against adaptive chosen-message attack,Fujisaki-Okamoto’s commitment scheme is statistically hiding and computation-ally binding and Paillier’s encryption is semantically secure and one-way.

6 Conclusion

In this paper, we have demonstrated a gap between the security of a two-partyverifiably committed signatures and the security of multi-party verifiably com-mitted signatures. We also have extended Dodis and Leyzin’s security model forthe two-party verifiably committed signatures to the multi-party setting. Finally,we have implemented an efficient stand-alone and setup-free verifiably commit-ted signatures in the multi-party setting and shown that our implementation isprovably secure under the joint assumptions that the underlying Zhu’s signaturescheme is secure against adaptive chosen-message attack, Fujisaki-Okamoto’scommitment scheme is statistically hiding and computationally binding and Pail-lier’s encryption is semantically secure and one-way.

References

1. N.Asokan, M.Schunter and M.Waidner: Optimistic Protocols for Fair Exchange.ACM Conference on Computer and Communications Security 1997: 7 - 17.

2. N.Asokan, V.Shoup and M.Waidner: Optimistic Fair Exchange of Digital Signa-tures (Extended Abstract). EUROCRYPT 1998: 591 - 606.


3. D.Boneh, C.Gentry, B.Lynn and H.Shacham: Aggregate and Verifiably EncryptedSignatures from Bilinear Maps. EUROCRYPT 2003: 416 -432

4. F.Boudot: Efficient Proofs that a Committed Number Lies in an Interval. Proc. ofEUROCRYPT 2000: 431 - 444, Springer Verlag.

5. F.Boudot and J.Traore: Efficient Publicly Verifiable Secret Sharing Schemes withFast or Delayed Recovery. ICICS’99, 87- 102.

6. Ran Canetti: Universally Composable Signature, Certification, and Authentication.CSFW 2004, 219.

7. J.Camenisch and M.Michels: Proving in Zero-Knowledge that a Number Is theProduct of Two Safe Primes. EUROCRYPT 1999: 107-122.

8. R.Cramer and V.Shoup. Signature scheme based on the Strong RAS assumption.6th ACM Conference on Computer and Communication Security, Singapore, ACMPress, November 1999.

9. I.Damg̊ard and M.Jurik: Client/Server Tradeoffs for Online Elections. Proc. ofPublic Key Cryptography 2002: 125 - 140. Springer Verlag.

10. I.Damg̊ard and E.Fujisaki: A Statistically-Hiding Integer Commitment SchemeBased on Groups with Hidden Order. Proc. of ASIACRYPT 2002: 125 - 142,Springer Verlag.

11. Y.Dodis and L.Reyzin. Breaking and Repairing Optimistic Fair Exchange fromPODC 2003, ACM Workshop on Digital Rights Management (DRM), October2003.

12. E.Fujisaki and T.Okamoto. Statistically zero knowledge protocols to prove modularpolynomial relations. Crypto’97. 16 - 30, 1997.

13. S.Goldwasser, S.Micali and R.L.Rivest: A Digital Signature Scheme Secure AgainstAdaptive Chosen-Message Attacks. SIAM J. Comput. 17(2): 281 - 308 (1988).

14. S.Lu, R.Ostrovsky, A.Sahai, H.Shacham and B.Waters: Sequential Aggregate Sig-natures and Multisignatures Without Random Oracles. EUROCRYPT 2006: 465-485

15. P.Paillier: Public-Key Cryptosystems Based on Composite Degree ResiduosityClasses. Proc. of EUROCRYPT 1999: 223 - 238, Springer Verlag.

16. H.Zhu. New Digital Signature Scheme Attaining Immunity to Adaptive Chosen-message attack. Chinese Journal of Electronics, Vol.10, No.4, Page 484-486, Oct,2001.

17. H. Zhu. A formal proof of Zhu’s signature scheme, http://eprint.iacr.org/,2003/155.

18. H.Zhu: Constructing Committed Signatures from Strong-RSA Assumption in theStandard Complexity Model. Public Key Cryptography 2004: 101-114.

19. H.Zhu and F.Bao: Stand-Alone and Setup-Free Verifiably Committed Signatures.CT-RSA 2006: 159-173.

20. H.Zhu and F.Bao: More on Stand-Alone and Setup-Free Verifiably CommittedSignatures. ACISP 2006: 148 -158.

Multi-party Stand-Alone and Setup-Free Verifiably Committed ...

Documents

Transcript of Multi-party Stand-Alone and Setup-Free Verifiably Committed ...